Microsoft has released its monthly series of security updates for its software. During this round of patches, more than one hundred vulnerabilities will be closed, five of which are labelled as zero-days.
Bleeping Computer has posted an overview of all the vulnerabilities on its website. Five of these vulnerabilities were labelled as zero-days, which means that knowledge of the vulnerabilities already existed in the wild before Microsoft had a patch ready for them. One of these vulnerabilities had already been exploited.
Actively exploited zero-day
This most critical vulnerability was CVE-2021-28310. It concerns an exploit with which attackers can obtain elevated privileges in Windows. According to Kaspersky security researchers, the exploit was already used in the wild, presumably combined with other exploits. The security firm suspects the BITTER APT group of abusing the vulnerabilities.
CVE-2021-27091 and CVE-2021-28458 also enabled elevated privileges with bugs in the RPC Endpoint Mapper service and the Azure ms-rest-nodeauth library, respectively. Furthermore, CVE-2021-28312 is a vulnerability in the NTFS system and CVE-2021-28437 is a problem with Windows Installer.
Critical vulnerabilities in Exchange
Besides the zero-days Microsoft also closes four critical vulnerabilities in Exchange Server. These were found by the National Security Agency. With the vulnerabilities remote attackers can take over an Exchange server. We have written a separate news item about these leaks:
Tip: Four new critical vulnerabilities in Exchange
In total, Microsoft has patched 114 vulnerabilities. The company has labeled 19 of these vulnerabilities as critical. All patches can be obtained via Windows Update.